re: DECODING EMAILS BETWEEN MS EXCHANGE AND A CLIENT

• Previous message: David Eduardo Acosta Rodríguez: "Re: VoIP testing Help"
• Next in thread: Steve A: "RE: DECODING EMAILS BETWEEN MS EXCHANGE AND A CLIENT"
• Reply: Steve A: "RE: DECODING EMAILS BETWEEN MS EXCHANGE AND A CLIENT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 21 Jul 2005 08:51:15 -0400
To: pen-test@securityfocus.com

Steve - funny, I'm currently working on the same problem. So far all
I've got is doing a session capture and packed decode with ethereal. I
have also exhaustively searched for a X.400 tool, but have so far
found none. In my free time I might be planning to write a parser to
extract just the packet payload, but I'm a little out of free time at
the moment.

-dan

 
Steve said:
We currently have a task that requires us to perform a capture of emails
between an MS Exchange server and a MS Office Outlook (x400) client. I
recognise a dirth of SMTP and POP sniffing programs out there but nothing
seems to be able to decode the DCE RPC encoding/encryption of the exchange
client communications.

Is there anyone out there with knowledge of a product that will allow these
emails to to captured and monitored. Oh before anyone suggests any exchange
resident software, that option is out, we need to be external of the server
and not a member of the domain - just sniffing the stuff as it goes by.

Alternatively, does anyone know of a tool that will allow me to crack the
RPC encryption/encoding to see the email in clear before I replay it to a
server for keyword monitoring purposes?

Oh the architecture is a 200 server with exch 2003 and a XP client with
Office 2002 (incase that matters/helps)

All tips gratefully received.

Steve A

steve<at>logicallysecure.org

• Previous message: David Eduardo Acosta Rodríguez: "Re: VoIP testing Help"
• Next in thread: Steve A: "RE: DECODING EMAILS BETWEEN MS EXCHANGE AND A CLIENT"
• Reply: Steve A: "RE: DECODING EMAILS BETWEEN MS EXCHANGE AND A CLIENT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Has anyone used Form Processor Pro from MitriDAT? ... Steve, thanks for this. ... getting an error when you hit 'SUBMIT' (screen that appears says 'FrontPage ... >> The problem seems to be with the server, ... >> capture language), you'll need to use data capture methods they DO support ... (microsoft.public.frontpage.programming) RE: Simple Windows incident response methodology ... Phase I - Preparation (Update forensics toolkit) ... What is the server used for? ... Capture the date and time of the system i. date /t> a:\datetime.txt ii. ... echo Net Accounts:> a:\net.txt ... (Incidents) RE: WINS Error 4204 ... You may test if your WINS server works properly by using the nblookup.exe ... Click Capture -> Buffer Settings, and then set the Buffer Size to 30 MB. ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) Simple Windows incident response methodology ... What is the server used for? ... Prepare for analysis of volatile information (Floppy Disk analysis) ... Capture information about running processes using pslist: ... echo Net Accounts:> a:\net.txt ... (Incidents) RE: Simple Windows incident response methodology ... this is not an assessment methodology that will be easy to ... An incident response CD is just a bootable CD with boot disk images ... What is the server used for? ... Capture information about logged on users using psloggedon: ... (Incidents)